Dell EMC squashes pair of VMAX virtual appliance bugs

vApp Manager contained undocumented default account

Dell EMC has patched two serious flaws in the management interface for its VMAX enterprise storage systems, one of which could potentially allow a remote attacker to gain unauthorised access to systems.

The vendor announced that the VMAX vApp Manager had "Multiple Vulnerabilities" in a security advisory earlier this week.

The message said the vApp Manager, embedded in four Dell EMC products, contains two security vulnerabilities. It has reserved a spot on Mitre's Common Vulnerabilities and Exposures list (CVE-2018-1215) for an "Arbitrary file upload vulnerability", and another at CVE-2018-1216 for a "Hard-coded password vulnerability".

The second, as you might imagine, is the more serious one, as "a remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system".

Dell EMC said it had "removed the undocumented default account – ÒsmcÓ – for all fresh installations of versions of the products that contain the fixes. The account cannot be removed from the user database for upgrade situations, however all servlets that use this account have been removed from the application making the account obsolete."

The first flaw allows "an authenticated, remote attacker to upload arbitrary files on a targeted system", but the attacker must authenticate to the targeted system. Potentially, miscreants could chain the vuln with CVE-2018-1216 – the "default account" vuln – for this, Dell EMC warned.

Admins are advised to install updates and, of course, keep strangers out of the network.